@ISACA Volume 16: 4 August 2010 

@ISACA Relevant, Timely News 

New Audit/Assurance Programs Developed in Response to Member Needs

In response to the needs communicated by professionals in the field, ISACA® has embarked on a development initiative to provide new and updated audit/assurance programs.

The new Windows Active Directory Audit/Assurance Program evaluates the necessary secure Active Directory infrastructure to support the servers and workstations within the enterprise. The focus is on the configuration controls relating to:
  • Active Directory management
  • Secure Active Directory boundaries
  • Secure domain controllers
  • Physical security of the domain controllers
  • Secure domain and domain controller configuration settings
  • Secure administrative practices

The new Information Security Management Audit/Assurance Program focuses on information security management of processes associated with the:/

  • Governance, policy, monitoring, incident and information security function management
  • Implementation of security configurations
  • Selection and maintenance of security technologies

In addition to these two new programs, the Security, Audit and Control Features Oracle® E-Business Suite, 3rd Edition (Technical and Risk Management Reference Series) audit program and ICQ appendices have been posted in Word for ISACA members as a complimentary download. These appendices of the updated popular ISACA reference include:

  • Oracle® Financial Accounting Business Cycle Audit Plan
  • Oracle® Expenditure Business Cycle Audit Plan
  • Oracle® Security Administration Audit Plan
  • Oracle® E-Business Suite Security Audit ICQs

The audit/assurance programs are provided to ISACA members as complimentary Word documents so they can be easily customized to the needs of each assignment. Click here for member-only, complimentary downloads. Many programs are also available to nonmembers for purchase in the ISACA Bookstore.


Six Tips on Implementing an Effective Enterprise Risk Management (ERM) Framework1
By Tara Kissoon, CISA, CISSP

  1. Align the organization’s risk appetite with its corporate strategy.
  2. Enhance risk-response decisions such as:
    • Risk avoidance—Consequence of risk exposure is higher than the organization’s risk appetite
    • Risk transfer—Eliminating or reducing the organization’s risk by transferring the risk to another party
    • Risk mitigation—Reducing the risk exposure through creation of mitigation strategies/action plans
    • Risk acceptance—Cost to reduce the risk is not justified and risk is viewed as immaterial
  3. Reduce operational loss and potential unknowns.
  4. Identify and manage enterprise risk across the organization. Areas include:
    • Brand/reputation
    • Business unit/geography
    • Legal/regulatory
    • Financial/market
    • Operations/systems
  5. Utilize opportunities through consideration of potential outcomes.
  6. Incorporate risk consideration into the decision-making process, which may enhance deployment of capital across the organization.

Tara Kissoon, CISA, CISSP, is a director at Visa Inc. Her expertise is focused in developing and implementing information security and risk management controls across global payment systems.

1 As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)


ISACA Conference Tackles Cloud Computing
Information Security and Risk Management Conference • Vienna, Austria • 3-5 November

Security concerns surrounding cloud computing are frequently discussed within business and the media. In their roles, ISACA® members help organizations to trust in cloud solutions while providing for the value organizations expect. To do this, they need to obtain tools and information.

The Information Security and Risk Management (ISRM) conferences in Las Vegas, Nevada, USA, and Vienna, Austria, provide opportunities to learn and share on this timely and relevant topic. Dave Cullinane, eBay CISO and Cloud Security Alliance Board member, will deliver the opening conference presentation at both locations. In addition, both conferences are providing a conference within a conference, with several sessions that will specifically address cloud computing issues.

Click here for more information and to register for the ISRM conference in Vienna. Click here for more information and to register for the ISRM conference in Las Vegas. Those interested in these programs may also be interested in ISACA’s recent white paper on cloud computing.


Certification Requirements Encourage Ongoing Learning
Hans Henrik Aabenhus Berthing, CISA, CGEIT, CRISC, CIA, CPA, Shares His Experiences With Certifications

Hans Henrik Aabenhus BerthingHaving earned several credentials in his field, Hans Henrik Aabenhus Berthing believes they demonstrate well his expertise. “I see these certifications as important when you need to show business partners that you have knowledge and experience in the area you are working,” he said.

Further, Berthing appreciates the continuous demand for education, experience and training required for the Certified Information Systems Auditor™ (CISA®) and Certified in the Governance of Enterprise IT® (CGEIT®) certifications, with the continuing professional education (CPE) requirements needed to maintain ISACA certifications.

“These certifications are a great acknowledgement of the quality of my work,” Berthing said. “They have provided me the opportunities to get some good job assignments and positions.”

To meet the CPE requirements, Berthing takes advantage of many options provided by ISACA®. He participates in local ISACA seminars, acting as a trainer and facilitator, and volunteers for various ISACA activities and chapter events.

A strong believer in utilizing educational resources, Berthing shares that perspective when approached by those considering pursuing ISACA credentials. He advises, “Be part of a training group and get review materials from ISACA as soon as possible. Also, participate in an exam review course.”

For those who are students looking to work in the field after graduation, he, again, emphasizes the importance of ongoing education, advising, “Make sure to seek a job that provides opportunities for learning and training. Make sure that, every day, you have learned something new. Also, earning an international professional certification is important.”

Hans Henrik Aabenhus Berthing, CISA, CGEIT, CIA, CPA, is IT audit director at Beierholm - HLB International. He is vice president, editor of the newsletter, member director and immediate past president of the ISACA Denmark Chapter. He is also a member of the Information Committee at FSR (Danish AICPA).

Click here for information on ISACA certifications.


Mapping of FFIEC With COBIT Is Now Available

The COBIT® Mapping Series is an ongoing ISACA® research initiative that maps other standards and frameworks to COBIT. These papers provide ISACA members and constituents with a proven IT governance framework that can be leveraged in their organizations with other applicable frameworks and standards.

COBIT® Mapping: Mapping FFIEC With COBIT® 4.1 is particularly valuable because of the heightened regulatory scrutiny of financial institutions. Since COBIT does not cover the specific details necessary to be in compliance with FFIEC requirements, the mapping is a useful reference guide to assist in navigating the details of the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The research and expert reviewer team for this mapping document was represented by associates of major accounting firms and financial institutions, as well as the US Federal Deposit Insurance Corporation (FDIC).

COBIT should be used as the umbrella framework for the governance of IT; the FFIEC IT Handbook should be used as specific guidance to promote uniformity in the supervision of financial institutions. The FFIEC IT Handbook booklets make the expectations for IT examiners easier to understand and to meet. Although the booklets are intended for a wide-ranging audience, the content is written at a level appropriate for a mid-level IT examiner. There are 11 booklets in the handbook that focus on a topic offering general control and audit guidance. It is important to note that only seven of the 11 FFIEC IT Handbook booklets were found to have a broad enough scope to be effectively mapped to COBIT.

The mapping of the two provides value to financial institutions that have already adopted the COBIT framework.

Click here for a member-only, complimentary PDF download of COBIT Mapping: Mapping FFIEC With COBIT 4.1.


Read More Articles in Our Archives